Following a data breach, consumers suffer an increased risk of identity theft because of the exposure of their personal information. Limited protection by data-breach statutes has made it difficult for consumers to seek compensation for these injuries and penalize the companies that fail to protect their information, leading consumers to bring common law claims in court. Yet courts have disagreed about whether an increased risk of identity theft qualifies as an injury-in-fact under Article III standing principles: the Seventh and Ninth Circuits have approved of increased risk standing, while the Third Circuit has rejected it. The Supreme Court has further clouded the issue with its recent examination of the injury-in-fact requirement in Clapper v. Amnesty International USA. This Note argues that courts should recognize increased risk standing in certain circumstances, even after Clapper, by applying a framework examining certain key factors in data breaches. It further contends that courts, in implementing this framework, should borrow certain elements from the damages analysis for common law claims to prevent the prompt dismissal of claims based on increased risk when considered on their merits.
A Day in Court for Data Breach Plaintiffs: Preserving Standing Based on Increased Risk of Identity Theft After Clapper v. Amnesty International USA,
Mich. L. Rev.
Available at: https://repository.law.umich.edu/mlr/vol114/iss8/3